{"id":1341,"date":"2021-01-07T23:35:00","date_gmt":"2021-01-07T23:35:00","guid":{"rendered":"https:\/\/www.pax8.com\/future-blog\/hipaa-compliance-checklist\/"},"modified":"2023-05-17T01:19:22","modified_gmt":"2023-05-17T01:19:22","slug":"hipaa-compliance-checklist","status":"publish","type":"post","link":"https:\/\/www.pax8.com\/blog\/hipaa-compliance-checklist\/","title":{"rendered":"The MSP’s HIPAA Compliance Checklist"},"content":{"rendered":"

What is HIPAA compliance and how do I maintain it?<\/p>\n

Please note: This article and checklist are meant for general self-evaluation. This article and checklist do NOT certify you or your organization as HIPAA-compliant or certified.<\/em><\/p>\n

Why HIPAA Compliance Matters for MSPs<\/h2>\n

HIPAA compliance is a complicated and delicate undertaking.\u00a0And when we say delicate, we mean delicate like a nuclear reactor, not delicate like a flower. You can\u2019t just\u00a0give your clients\u00a0a few HIPAA policies and go about business as usual, just like you\u00a0cannot\u00a0build a nuclear power plant and leave it alone. In fact, both require auditing, constant supervision, good staffing, good policies and procedures, and excellent reporting and investigation of any issues.<\/p>\n

Compliance with the federal government regarding Patient Health Information (PHI) and electronic Patient Health Information (ePHI) is a full-time job; a few careless mistakes can lead to a total meltdown.\u00a0Compliance\u00a0requires constant monitoring of both technical, physical, security, and administrative practices.\u00a0As MSPs, your lives are already busy enough; adding HIPAA compliance on top of all the other obligations you have\u00a0can seem\u00a0like\u00a0a\u00a0daunting\u00a0task.<\/p>\n

In this article,\u00a0we\u2019ll cover what it means to be compliant\u00a0and provide you with\u00a0some\u00a0resources to\u00a0help keep your company\u00a0and\u00a0your\u00a0clients\u00a0compliant.<\/p>\n

Training staff and employees<\/h2>\n

You wouldn\u2019t just pick a random group of unqualified people to operate and man a nuclear power plant, so why would it be any different for HIPAA compliancy?<\/p>\n

Both your company and your clients\u2019 must train all staff\u00a0in\u00a0basic HIPAA rules and requirements. And in preparation for audits, the training\u00a0sessions\u00a0should be documented and recorded.\u00a0Since HIPAA laws are constantly changing or being tweaked, you should advise your clients to\u00a0designate\u00a0one person as the HIPAA Compliance, Privacy, and\/or Security Officer. If an incident does occur, staff members should be able to anonymously report\u00a0the\u00a0issue.<\/p>\n

Since neither your company nor your clients exist in an isolated bubble, the next group of people you need to think\u00a0about\u00a0are\u00a0Business Associates<\/a>\u00a0(BA).\u00a0MSPs\u00a0are considered to be\u00a0BAs, by the way, if they service a Covered Entity (CE) or other BAs.\u00a0Any\u00a0vendor that\u00a0come in contact with\u00a0PHI\u00a0is considered to be\u00a0a BA. Just like any outside workers who come into the nuclear power plant must first be vetted and outfitted with protective gear, BAs must sign a Business Associate Agreement (BAA) before\u00a0they are allowed access to any PHI. They also need to be audited to make sure they are HIPAA compliant.<\/p>\n

Managing audits<\/h2>\n

Audits are not fun, but they are necessary to make sure everything and everyone\u00a0is\u00a0doing what they are supposed to\u00a0do. It\u2019s important to conduct the following audits\/assessments based on\u00a0National\u00a0Institute of Standards and Technology (NIST) guidelines<\/a>:<\/p>\n